<<< Date Index >>>     <<< Thread Index >>>

Antivirus detection bypass by special crafted archive.



 
 Release Date : 2005-10-05
 Tested on: Windows 2000 SP2 & SP4
 Tested with: Jotti Online Antivirus Scanner
 Tested with: VirusTotal Online Antivirus Scanner
 Tested with: Command line freeware UnRAR v3.50
 Tested with: PowerZip v7.06
 Discovered by: fRoGGz
 Credit to: SecuBox Labs
 
 -=====================================================================-

  Analysis
 __________

 Specially crafted archive containing a virus will pass
 through the antivirus system without detection.

 An attacker can compress a malicious payload and evade
 detection by some anti-virus software.

 The bypassed malicious content does not pose a risk until
 extracted from the RAR archive file. Malicious content
 will be detected and eliminated by your Antivirus.

 Contrary to Winzip or BitZipper which do not authorize the
 opening of the file, Winrar & PowerZip open & extract it.

 -=====================================================================-
 
 Proof of Concept
 ________________

 We have used: eicar.com
 EICAR test is a 68 bytes file "detect" as if it were a virus.
 
 For more information, visit: 
 Ref: [ http://shadock.net/secubox/AVCraftedArchive.html ]
 
 Results for: SecuBox_AVPoC1.rar
 _______________________________

 [?] AntiVir Found nothing
 [?] ArcaVir Found nothing
 [?] Avast Found nothing
 [!] AVG Antivirus Found EICAR_Test (+187)
 [!] BitDefender Found EICAR-Test-File (not a virus)
 [!] CAT-QuickHeal Found Eicar.Test
 [~] ClamAV Found nothing >> Suspect
 [?] Dr.Web Found nothing
 [?] eTrust-Iris Found nothing
 [?] eTrust-Vet Found nothing
 [!] Fortinet Found EICAR_TEST_FILE
 [?] F-Prot Antivirus Found nothing
 [!] Ikarus Found EICAR_Test
 [?] Kaspersky Antivirus Found nothing
 [?] McAfee Found nothing
 [?] NOD32 Found nothing
 [?] Norman Virus Control Found nothing
 [!] Panda Found Eicar.Mod
 [?] Sophos Found nothing
 [?] Symantec Found nothing
 [?] TheHacker Found nothing
 [?] UNA Found nothing
 [?] VBA32 Found nothing
 
 Results for: SecuBox_AVPoC2.rar
 ________________________________

 [?] AntiVir Found nothing
 [!] ArcaVir Found Eicar.Test
 [!] Avast Found EICAR Test-NOT!!
 [!] AVG Antivirus Found EICAR_Test
 [?] BitDefender Found nothing
 [!] CAT-QuickHeal Found Eicar.Test
 [~] ClamAV Found nothing >> Suspect
 [?] Dr.Web Found nothing
 [?] eTrust-Iris Found nothing
 [?] eTrust-Vet Found nothing
 [?] Fortinet Found nothing
 [?] F-Prot Antivirus Found nothing
 [?] Fortinet Found nothing
 [!] Ikarus Found EICAR_Test
 [?] Kaspersky Antivirus Found nothing
 [?] McAfee Found nothing
 [?] NOD32 Found nothing
 [?] Norman Virus Control Found nothing
 [!] Panda Found Eicar.Mod
 [!] Sophos EICAR-AV-Test
 [?] Symantec Found nothing
 [?] TheHacker Found nothing
 [?] UNA Found nothing
 [?] VBA32 Found nothing
 
 Results for: SecuBox_AVPoC3.cab
 ________________________________
 
 [?] AntiVir Found nothing
 [?] ArcaVir Found nothing
 [?] Avast Found nothing
 [!] AVG Antivirus Found EICAR_Test
 [?] BitDefender Found nothing
 [?] CAT-QuickHeal Found nothing
 [?] ClamAV Found nothing
 [?] Dr.Web Found nothing
 [?] eTrust-Iris Found nothing
 [?] eTrust-Vet Found nothing
 [?] Fortinet Found nothing
 [?] F-Prot Antivirus Found nothing
 [?] Fortinet Found nothing
 [?] Ikarus Found nothing
 [?] Kaspersky Antivirus Found nothing
 [?] McAfee Found nothing
 [?] NOD32 Found nothing
 [?] Norman Virus Control Found nothing
 [?] Panda Found nothing
 [?] Sophos Found nothing
 [?] Symantec Found nothing
 [?] TheHacker Found nothing
 [?] UNA Found nothing
 [!] VBA32 Found EICAR-Test-File
 
 Unix test with ClamAV
 _____________________
 
 thot:~$ clamscan --no-summary SecuBox_AVPoC3.cab
 SecuBox_AVPoC3.cab: OK
 thot:~$ cabextract SecuBox_AVPoC3.cab
 Extracting cabinet: SecuBox_AVPoC3.cab
 extracting EICAR.com
 All done, no errors.
 thot:~$ clamscan --no-summary EICAR.com
 EICAR.com: Eicar-Test-Signature FOUND
 thot:~$
 
 thot:~$ clamscan -V
 ClamAV 0.87/1120/Fri Oct 7 13:06:49 2005
 
 -==================================================-
 
 CREDiTS
 ---------------------
 SecuBox Labs - fRoGGz
 Greet's fly out to: maew, Jordi Bosveld & VirusTotal